<!DOCTYPE html>
<html lang="en">
<head>
  <meta charset="UTF-8">
  <meta name="viewport" content="width=device-width, initial-scale=1.0">
  <title>Redirect</title>
</head>
<body>
  <script>
    function getQueryParameter(name) {
      const urlParams = new URLSearchParams(window.location.search);
      return urlParams.get(name);
    }

    function validateUrl(url) {
      if(typeof url !== "string") {
        throw new Error('invalid');
      }

      // don't allow redirects to the redirect
      if(url.includes("redirect")) {
        throw new Error('invalid');
      }

      const parsedUrl = new URL(url);

      // only allow http and https protocols (don't allow javascript: protocol)
      if(parsedUrl.protocol !== 'http:' && parsedUrl.protocol !== 'https:') {
        throw new Error('invalid');
      }

      // only redirect to the same domain
      if(parsedUrl.hostname !== window.location.hostname) {
        throw new Error('invalid');
      }

      return parsedUrl.href;
    }

    const url = getQueryParameter('url');
    try {
      const ref = validateUrl(url);
      window.location = ref;
    } catch (e) {
      document.body.innerHTML = '<h1>invalid redirect</h1>';
    }
  </script>
</body>
</html>
